ibm自由开放连接错误403:AuthorizationFailed

问题描述 投票:0回答:1

我正在尝试访问需要whoAmI角色的受保护servlet(xyz)。

使用密钥斗篷作为openid提供程序,这是我的openid-connect配置

<openidConnectClient id="RP" scope="openid" signatureAlgorithm="RS256"
    clientId="liberty" clientSecret="secret"
    discoveryEndpointUrl="https://localhost:8243/auth/realms/abc/.well-known/openid-configuration"
    userIdentityToCreateSubject="id"
    groupIdentifier="groupof"
    realmName="abc"
    />
<application type="ear" location="/opt/was-services.ear"></application>

这是我的web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <session-config>
        <session-timeout>60</session-timeout>
    </session-config>

    <servlet>
        <servlet-name>abcServlet</servlet-name>
        <servlet-class>com.ABCServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>abcServlet</servlet-name>
        <url-pattern>/abc</url-pattern>
    </servlet-mapping>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>secure</web-resource-name>
            <url-pattern>/abc</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description></description>
            <role-name>test</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/login.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <description>test</description>
        <role-name>test</role-name>
    </security-role>
</web-app>

耳朵META-INF/ibm-application-bnd.xml

<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
                 xmlns="http://websphere.ibm.com/xml/ns/javaee"
                 version="1.2">

    <security-role name="test">
        <group name="gpTest"/>
    </security-role>

</application-bnd>

访问servlet时,它将我重定向到keycloak登录页面,成功登录后将我重定向到servlet路径,但是给出了错误Error 403: AuthorizationFailed

The user is not granted access to any of the required roles: [test]

自由接受访问令牌并创建了会话,我可以在浏览器中看到WAS_p158005998 cookie。授权申请莫名其妙。不确定如何将密钥斗篷组映射到自由。

accessToken和idToken都包含如下的id和groupof(array)字段。

{
  "id": "user1",
  "groupof": [
    "gpTest",
    "gpTest2"
  ]
}

我需要映射任何注册表吗?还是我的应用程序绑定错误(我尝试使用直接组名gpTest,但没有用)?

java openid-connect websphere-liberty open-liberty
1个回答
1
投票

在您的application-bnd.xml文件中,我认为group元素需要一个access-id属性,如此处所述

https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/cwlp_authorization.html#d337475e272

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.